samba - Sep 2010 - A question about Samba, authentication, groups, quotas, etc.

Hello,

Server: Ubuntu Lucid server version
Role: Samba file server (I administer it)
Authentication: Against a Windows AD (I do not administer it) using winbind.
No other authentication scheme is practicable/possible - I do NOT want to
manage passwords locally on this machine.
LDAP: Not explicitly configured - local policies require a binary *.so file
that does not work with Debian based systems (I don't set this policy).

Status: Authentication works and shares have been set up. People from
Windows, Mac and Linux can successfully access their shares. The system is
firewall and samba (hosts deny, hosts allow) secured to deny access from
anyone outside of the network.

Excerpt from /etc/samba/smb.conf:

   security = ads
   realm = <AD server name in capital case>
   password server = AD server name
   workgroup = LOCALGROUP
   idmap uid = 500-1000000   idmap gid = 500-1000000
   winbind separator = +
   winbind enum users = no
   winbind enum groups = no
   winbind use default domain = yes
   template homedir = /home/%D/%U
   template shell = /bin/bash
   client use spnego = yes
   domain master = no

[homes]
   comment = Home Directories
   browseable = no
   read only = no
   create mask = 0700
   directory mask = 0700
   valid users = %U
   invalid users = root bin daemon nobody named sys tty disk users

I want to make certain things happen with this, but being a slight Samba
newbie (and generally impatient of anything windows related) I do not know
the best way forward (or if what I want is even possible). The situation:

Consider sets of people

A = a colossal set of about 10000 people, each of which can authenticate
against the AD referenced above.
B = a set of about 30 people - a subset of A (every member of B is a member
of A)
C, D, E = smaller sets of about 4-5 people each. The intersection of C, D, E
is non-zero. The union of C, D and E is a subset of B. Wish I could draw a
Venn diagram.

All these sets have a fluid membership (people come and go). But the set
relationships above, and the rough numbers above  remain more or less
constant.

I want:

1. No member of A that is not a member of B to ever be able to access any
shares on the server.
2. No member of B to be able to access the home directories (under
/home/LOCALGROUP/ that are not his / her own or one of C, D, or E (read on)
if he / she is also a member of C. D or E.
3. Members of C, D and E should be able to access /home/LOCALGROUP/C (or D
or E) but no one else should be able to.
4. Impose quotas on all members of B (have maximum upper sizes for
/home/LOCALGROUP/<member of B>) and have fixed sizes for C, D and E.

If this were a simple Unix setup, I would define group memberships (and
impose quota on /home). But this is a little bit different (and the users
are not even listed in /etc/passwd), and I am a bit new to Samba.

Any suggestions ?

Thanks.

I understand neither the language nor the intent of this message. How could
the initial message possibly be spam ? Was it the use of the capital case
for the workgroup ?

2010/9/22 <postmaster at avi-drome.nl>
> Message rejected: message contains bad words.
> Message is marked as spam.
>
> De informatie uit deze e-mail (en eventuele bijlagen) is uitsluitend
> bestemd
> voor de geadresseerde(n), gebruik door anderen is niet toegestaan.
> De informatie kan vertrouwelijk van aard zijn en onder een
> geheimhoudingsplicht
> vallen. Indien deze e-mail niet voor u bestemd is, wordt u verzocht de
> afzender
> daarvan op de hoogte te stellen en deze e-mail te vernietigen. Afzender
> en/of
> haar werkgever kan de veiligheid en betrouwbaarheid van e-mail communicatie
> niet
> garanderen en aanvaardt geen aansprakelijkheid voor schade ten gevolge van
> het
> gebruik van email. Onze diensten en overige werkzaamheden worden uitgevoerd
> op
> basis van een overeenkomst van opdracht, waarop onze algemene voorwaarden
> van
> toepassing zijn.
>
> Please consider the environment before printing this e-mail
>
>

On Sep 22, 2010, at 9:24 AM, Madhusudan Singh <singh.madhusudan at
gmail.com> wrote:
> Hello,
> 
> Server: Ubuntu Lucid server version
> Role: Samba file server (I administer it)
> Authentication: Against a Windows AD (I do not administer it) using
winbind.
> No other authentication scheme is practicable/possible - I do NOT want to
> manage passwords locally on this machine.
> LDAP: Not explicitly configured - local policies require a binary *.so file
> that does not work with Debian based systems (I don't set this policy).
> 
> Status: Authentication works and shares have been set up. People from
> Windows, Mac and Linux can successfully access their shares. The system is
> firewall and samba (hosts deny, hosts allow) secured to deny access from
> anyone outside of the network.
> 
> Excerpt from /etc/samba/smb.conf:
> 
>   security = ads
>   realm = <AD server name in capital case>
>   password server = AD server name
>   workgroup = LOCALGROUP
>   idmap uid = 500-1000000   idmap gid = 500-1000000
>   winbind separator = +
>   winbind enum users = no
>   winbind enum groups = no
>   winbind use default domain = yes
>   template homedir = /home/%D/%U
>   template shell = /bin/bash
>   client use spnego = yes
>   domain master = no
> 
> [homes]
>   comment = Home Directories
>   browseable = no
>   read only = no
>   create mask = 0700
>   directory mask = 0700
>   valid users = %U
>   invalid users = root bin daemon nobody named sys tty disk users
> 
> I want to make certain things happen with this, but being a slight Samba
> newbie (and generally impatient of anything windows related) I do not know
> the best way forward (or if what I want is even possible). The situation:
> 
> Consider sets of people
> 
> A = a colossal set of about 10000 people, each of which can authenticate
> against the AD referenced above.
> B = a set of about 30 people - a subset of A (every member of B is a member
> of A)
> C, D, E = smaller sets of about 4-5 people each. The intersection of C, D,
E
> is non-zero. The union of C, D and E is a subset of B. Wish I could draw a
> Venn diagram.
> 
> All these sets have a fluid membership (people come and go). But the set
> relationships above, and the rough numbers above  remain more or less
> constant.
> 
> I want:
> 
> 1. No member of A that is not a member of B to ever be able to access any
> shares on the server.
> 2. No member of B to be able to access the home directories (under
> /home/LOCALGROUP/ that are not his / her own or one of C, D, or E (read on)
> if he / she is also a member of C. D or E.
> 3. Members of C, D and E should be able to access /home/LOCALGROUP/C (or D
> or E) but no one else should be able to.
> 4. Impose quotas on all members of B (have maximum upper sizes for
> /home/LOCALGROUP/<member of B>) and have fixed sizes for C, D and E.
> 
> If this were a simple Unix setup, I would define group memberships (and
> impose quota on /home). But this is a little bit different (and the users
> are not even listed in /etc/passwd), and I am a bit new to Samba.
> 
> Any suggestions ?
> 
> Thanks.
> --
Since you are already doing everything based on AD ...
Have the windows folks make AD security groups for your groups b c d e  And then
filter the shares using smb.conf entries like
valid users = @ad\groupB
write list = @ad\groupB

To make it really convenient for you have the ad team make you an admin for a
small area in AD where you set up and administer your groups using active
directory users and computers on a windows box

I think I might have worked out the grouping problem locally by simply
adding (manually) the names of members of B to /etc/group, and changing the
directory ownership to the corresponding groups. Its a strange situation as
there are users in /etc/group that are not present in /etc/passwd (they are
Windows AD authenticated).

However, a few irritants remain.

1. When I try to use:

valid users = @localgroupname

it does not permit mounting of the shares (though ssh logins work fine). I
have to use valid users = %U to get past that. Is there some way I could
enter the group membership to smb.conf ?

2. Regarding C. D and E, I have done something similar, and added valid
users = @localCgroupname etc. to the shares definition. However, when I use
a smb login from a Mac client, I see only the home directory mounted and not
the second share that the user is a member of (this user is a member of B
and C).

Any suggestions are welcome.